June 11th, 2008

In what appears to be an attempt to provoke Apple to reconsider its currently passive position on the severity of the dubbed as “carpet bomb” flaw, a working Proof of Concept exploit code has been released at Liu Die Yu’s security blog :

Nitesh Dhanjani discovered that Safari for Windows puts downloads automatically to Desktop and argued this can potentially make a mess of Desktop, naming it the effect of “Safari Carpet Bomb”. Later Microsoft issued an advisory stating “remote code execution on all supported versions of Windows XP and Windows Vista” and “Aviv Raff for working with us and reporting the blended threat of Safari and Microsoft Internet Explorer”. Aviv Raff posted on his blog “Safari pwns Internet Explorer”, clarifying “this combined attack also exploits an old vulnerability in Internet Explorer that I’ve already reported to them a long long time ago”.

The old vulnerability that Aviv Raff reported to Microsoft long time ago is described in two articles by Aviv Raff: IE7 DLL-load hijacking Code Execution Exploit PoC, and Internet Explorer 7 - Still Spyware Writers Heaven, both dating back to 2006(yeah that’s really “a long long time ago”). This vulnerability lies in Windows Internet Explorer loading program library files(DLL) from user’s Desktop instead of its own library file folder(usually C:\WINDOWS\SYSTEM32), when filenames are set to some specific values.

Safari for Windows puts downloads to Desktop by default without a dialog box(such as the “File Download” dialog box in IE). Well, this is in fact a quite reasonable and convenient feature - downloading and saving requested file to user’s Desktop by default. This feature itself does not constitute a mistake. What really makes the “blended threat” is some problem in loading program library files(DLL) by Windows Internet Explorer(and probably others)

In a situation where researchers and anti-malware groups clearly demonstrate the possibility for abuse of this vulnerability, Apple’s passive attitude taking into consideration the possible impact on the stereotype of their software’s invincibility courtesy of their PR folks, can only be changed by going full disclosure with the exploit, no matter how much vendors hate it. Nothing’s impossible, the impossible just takes a little longer, and so is finding bugs in software pitched as the most secure one.

How to protect yourself? Watch what you click on, change the default download location of the browser, or consider avoiding Safari for Windows until the flaw gets some attention at the first place, and hopefully gets fixed later on.